EFS for System Admins

by Dan DiNicolo http://www.win2000trainer.com Although the idea behind the Encrypting File System (EFS) in Windows 2000 seems pretty straightforward, there is a great deal more to it than first meets the eye. The purpose of this article is to explain how EFS actually works, and to provide practical configuration
advice for system admins.

EFS, I hardly knew ye.

Although the idea behind the Encrypting File System (EFS) in Windows 2000 seems pretty straightforward, there is a great deal more to it than first meets the eye. The purpose of this article is to explain how EFS actually works, and to provide practical configuration
advice for system admins.

Why use EFS? The simple answer is that relying on NTFS permissions alone is sometimes not enough. There are simply too many utilities that will allow a user to bypass NTFS security on the market, such as NTFSDOS. Beyond the utilities, imagine the scenario with a mobile user. If the users laptop were stolen, the thief would only need to either remove the hard drive and place it into another W2K system, or reinstall W2K and take ownership of the folder as the new administrator account. In either scenario, highly confidential data is not safe. If youre looking for more security EFS may be the answer youre looking for, and you cant beat the price.

I'm going to try not to bore you with the details of what you probably already know. Here's the useful beginner stuff, just to get it out of the way:

- EFS can only be used on NTFS formatted volumes.
- EFS cannot encrypt files if any of the following attributes are set: Read-only, System or Compressed.
- If you have 'write' permissions to a file, you can encrypt it.
- If the user who encrypted the file moves it to a FAT volume, the file is no longer encrypted.
- EFS encryption is relatively transparent to the user. To encrypt a file, the user need only set the encryption attribute on the file, or save it to an encrypted folder.
- EFS is file-system encryption. That means that when an EFS-encrypted file moves over the network, it is NOT encrypted.
- EFS does not prevent a user with the appropriate NTFS permissions from deleting a file.
- To encrypt many files at once, use Cipher.exe from the command line.
- When an encrypted file is opened, so are temporary copies if they exist.
- Users cannot share encrypted files.
- Only the user who encrypted a file can open it (with exceptions, of course!)

The last item on the list is important. Although the only person who can open an EFS-encrypted file is officially the person who encrypted it, there is still a back door of sorts - the recovery agent. The recovery agent is by default the domain Administrator account (more on this later, but there can be more than one), and can open files that were EFS-encrypted by another user. The reason for this is simple. If a user somehow loses their private key, or snaps and go encryption-crazy on their last day on the job, we have a way to recover their files.

Before I get into the configuration details, I first want to explore how EFS encryption works. EFS uses public-key cryptography in order to secure files. This means that both a public key and private key exist for the purpose of encryption and decryption. However, what the public key encrypts is not the files themselves. Instead, every file is encrypted with a unique key, called a FEK (file encryption key), and this FEK is stored in the header of the encrypted file, in a field called the Data Decryption Field (DDF). The FEK isn't just left there all open and exposed, however. It is encrypted with the user's public key. When the user wants to open the file, their private key is used to decrypt the FEK, and then the FEK is used to decrypt the file. The beauty of this arrangement is that even if a hacker were able to decrypt the FEK, they still only get into a single file, since every file has a unique
FEK.